Fedora Community Pre-Beta Testing
Till Maas
opensource at till.name
Wed May 13 20:58:25 UTC 2009
On Mi Mai 13 2009, Tom "spot" Callaway wrote:
> On 05/13/2009 04:32 PM, Till Maas wrote:
> > I hope this is only misleading, but it looks to me that this test
> > application demands the original FAS username/password from testers,
> > which are then sent via an connection where the certificate cannot be
> > easily verified by the testers. Also it is a bad idea to use these very
> > important credentials in an application that may still have security
> > flaws, because it is still in development. Last but not least this is
> > also a bad education for the users that get used to provide their
> > credentials to untrustworthy websites.
>
> I'm not entirely sure I follow this logic. Lots of things authenticate
> against FAS. The source code for every bit of this web application is
> open source and available for review. Do you trust Bodhi? How about
> pkgdb? Or koji? Barring some specific security vulnerability (which you
> haven't pointed out), this criticism seems unfounded.
Koji requires a client SSL certificate for authentication, therefore afaik an
attacker can only get access to the koji web interface using a man in the
middle attack, i.e. changing the SSL certifcate of the koji webinterface
atfter gettin in between the user and the webinterface. This is e.g. often
easily possbile in networks of conferences. The other webservices (pkgdb and
Bodhi) use a SSL certificate by a well know CA, therefore webbrowsers on
Fedora systems can easier verify the certificate. Except of course in case the
attacker posseses a rouge CA certifcate, that is signed by other CAs that are
unluckily shipped with Fedora.
Also I trust Bodhi, Koji and the Pkgdb more, because they are not announced to
be trustworthy by their developers. You wrote in the announcement:
| Please don't rely on this test instance for anything.
For me this means, that one cannot rely on the test instane for protecting
highly sensitive data, which the FAS credentials imho are. Also not using a
good SSL certificate is already a first indication that security is not (yet)
important for the test instance. The certificate seems not to be even signed
by some private Fedora CA.
Regards
Till
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part.
URL: <http://listman.redhat.com/archives/fedora-devel-list/attachments/20090513/2c08d705/attachment.sig>
More information about the fedora-devel-list
mailing list